def generate_key_and_cert():
signing_key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048)
# private_key = signing_key.private_bytes(
# crypto_serialization.Encoding.DER,
# crypto_serialization.PrivateFormat.PKCS8,
# crypto_serialization.NoEncryption())
# public_key = signing_key.public_key().public_bytes(
# crypto_serialization.Encoding.DER,
# crypto_serialization.PublicFormat.PKCS1
# )
# Various details about who we are. For a self-signed certificate the
# subject and issuer are always the same.
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
x509.NameAttribute(NameOID.COMMON_NAME, u"example.com"),
])
signing_cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
issuer).public_key(signing_key.public_key()).serial_number(
x509.random_serial_number()).not_valid_before(
datetime.utcnow()).not_valid_after(
# Our certificate will be valid for 10 days
datetime.utcnow() + timedelta(days=10)
# Sign our certificate with our private key
).sign(signing_key, hashes.SHA256(),
crypto_default_backend()).public_bytes(
crypto_serialization.Encoding.DER)
return signing_key, signing_cert
def _make_key_cert_pair(self):
logging.debug("Auth: Creating server credentials")
private_key = rsa.generate_private_key(
backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048)
public_key = private_key.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, self.hostname),
]))
builder = builder.issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, self.hostname),
]))
builder = builder.not_valid_before(datetime.datetime.today() - day)
builder = builder.not_valid_after(datetime.datetime.today() +
EXPIRE_TIME)
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(public_key)
alt_names = []
if self.ip_info.ip4_address != None:
alt_names.append(
x509.IPAddress(ipaddress.IPv4Address(
self.ip_info.ip4_address)))
builder = builder.add_extension(x509.SubjectAlternativeName(alt_names),
critical=True)
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA256(),
backend=crypto_default_backend())
ser_private_key = private_key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption())
ser_public_key = certificate.public_bytes(
crypto_serialization.Encoding.PEM)
self.server_pub_key = ser_public_key
self.server_private_key = ser_private_key
def write_ssh_keys(path):
# Write ssh keys in path directory and return public and private paths
key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048)
private_key = key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption(),
).decode("utf-8")
public_key = (key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH,
).decode("utf-8"))
pub_path = os.path.join(path, "id_rsa.pub")
priv_path = os.path.join(path, "id_rsa")
with open(pub_path, "w") as pub:
pub.write(public_key)
with open(priv_path, "w") as priv:
priv.write(private_key)
os.chmod(pub_path, 0o600)
os.chmod(priv_path, 0o600)
return (os.path.join(path, "id_rsa.pub"), os.path.join(path, "id_rsa"))
def generate_key(key_path):
# generate private/public key pair
key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048)
# get public key in OpenSSH format
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH)
# get private key in PEM container format
private_key = key.private_bytes(
encoding=crypto_serialization.Encoding.PEM,
format=crypto_serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=crypto_serialization.NoEncryption())
if not os.path.exists(os.path.dirname(key_path)):
os.makedirs(os.path.dirname(key_path))
with open(key_path, "w") as text_file:
text_file.write(private_key.decode("utf-8"))
with open(key_path + '.pub', "w") as text_file:
text_file.write(public_key.decode("utf-8"))
text_file.write(" autogenerated vacation tool " +
datetime.datetime.now().isoformat(timespec='minutes'))
def generate_keypair(tempdir, name):
"""Generate an ssh keypair, and write to the tempdir."""
key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=4096)
private_key = key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption(),
).decode()
public_key = (key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH,
).decode())
with open("{}/{}".format(tempdir, name), mode="w") as priv_key:
priv_key.write(private_key)
os.chmod("{}/{}".format(tempdir, name), 0o600)
with open("{}/{}.pub".format(tempdir, name), mode="w") as pub_key:
pub_key.write(public_key)
return ("{}/{}.pub".format(tempdir, name), "{}/{}".format(tempdir, name))
def public_key_from_serialized_key(self, serialized_key: bytes):
"""Set the public key, by deserialize the serialized public key."""
self._public_key = serialization.load_pem_public_key(
serialized_key,
backend=crypto_default_backend()
)
return self._public_key
def genattackerkeys():
sysRoot = os.path.expanduser('~')
dest_path = sysRoot + "/Documents/keysafe"
try:
os.makedirs(dest_path, 0o777, exist_ok=True)
except OSError as err:
dest_path = os.getcwd()
print("Creation of destination failed. Current directory is :" % dest_path)
except FileExistsError:
print("Attacker files exist. Quitting without creating new keys.")
print("Delete following folder and try again: " % dest_path)
else:
privkeypathstring = dest_path + '/private.pem'
pubkeypathstring = dest_path + '/public.pem'
private_key = rsa.generate_private_key(
backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048
)
public_key = private_key.public_key()
public_key_pem = public_key.public_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PublicFormat.SubjectPublicKeyInfo
)
private_key_pem = private_key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption())
with open(privkeypathstring, 'wb') as f:
f.write(private_key_pem)
with open(pubkeypathstring, 'wb') as f:
f.write(public_key_pem)
def init_key(self):
if self.ssh_custom_key:
return
for filename in os.listdir(self.config.get('local', 'data_dir')):
if not filename.startswith('yakey') or not os.path.isfile(
os.path.join(self.config.get('local', 'data_dir'),
filename)):
continue
key_path = os.path.join(self.config.get('local', 'data_dir'),
filename)
self.key_name = key_path.split(os.sep)[-1]
pmk_key = RSAKey.from_private_key_file(key_path)
logging.info('LOADED KEY %s' % key_path)
break
else:
self.key_name = self.get_rnd_name('yakey')
key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048)
pmk_key = RSAKey(key=key)
key_path = os.path.join(self.config.get('local', 'data_dir'),
self.key_name)
pmk_key.write_private_key_file(key_path)
logging.info('WRITTEN KEY %s' % key_path)
self.public_key = "%s %s" % (pmk_key.get_name(), pmk_key.get_base64())
self.ssh_custom_key = {'pkey': pmk_key}
if self.yascheduler:
self.yascheduler.ssh_custom_key = self.ssh_custom_key
def generate_key_pair(self):
private_key = rsa.generate_private_key(
backend=crypto_default_backend(),
public_exponent=self.public_exponent,
key_size=self.key_size)
return private_key, private_key.public_key()
def generate_key():
"""
Generates and adds a key to the SSH agent.
"""
key = rsa.generate_private_key(
backend=crypto_default_backend(),
public_exponent=65537,
key_size=4096,
)
private_key = key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption(),
).decode()
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH,
).decode()
with tempfile.NamedTemporaryFile(suffix='-ssha-temporary-key') as temp_key:
os.chmod(temp_key.name, 0o600)
with open(temp_key.name, 'w') as open_file:
open_file.write(private_key)
os.system('ssh-add -t 60 {}'.format(temp_key.name))
return public_key
def readKeyFile(self, filename):
try:
with open(filename, 'rb') as f:
data = f.read()
print('Existing key in {}'.format(filename), file=sys.stderr)
return load_pem_private_key(data,backend=crypto_default_backend(),password=None)
except (ValueError,FileNotFoundError,EOFError): return None
def generate_private_key(private_key_path,
public_exponent=65537,
key_size=2048):
"""Generate a private key in 'CONFIG_PATH/ssl/server.key'.
Parameters
----------
private_key_path : str
Path where the private key will be generated.
public_exponent : int, optional
Key public exponent. Default `65537`
key_size : int, optional
Key size. Default `2048`
Returns
-------
RSAPrivateKey
Private key.
"""
key = rsa.generate_private_key(public_exponent, key_size,
crypto_default_backend())
with open(private_key_path, 'wb') as f:
f.write(
key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()))
os.chmod(private_key_path, 0o400)
return key
def get_public_save_private_key():
key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048)
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH)
private_key = key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.TraditionalOpenSSL,
crypto_serialization.NoEncryption())
with open(PUBLIC_KEY, 'wb') as f:
f.write(public_key)
with open(PRIVATE_KEY, 'wb') as f:
f.write(private_key)
# Set read and write permission for user only
os.chmod(PUBLIC_KEY, 0o0600)
os.chmod(PRIVATE_KEY, 0o0600)
return public_key
def generateKey(n):
pbar = tqdm(total=3, position=None)
pbar.set_description("Generating Private Key")
key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=KEY_SIZE)
pbar.update()
pbar.set_description("Extracting Private Key")
pbar.update()
PRIVATE_KEY = key.private_bytes(
encoding=crypto_serialization.Encoding.PEM,
format=crypto_serialization.PrivateFormat.PKCS8,
encryption_algorithm=crypto_serialization.BestAvailableEncryption(
KEY_PASSPHRASE),
).decode()
pbar.set_description("Extracting Public Key")
pbar.update()
PUBLIC_KEY = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH).decode()
#tqdm.write("PRIVATE_KEY={}".format(PRIVATE_KEY))
#tqdm.write("PUBLIC_KEY={}".format(PUBLIC_KEY))
tqdm.write("{} is complete. Generated {} bytes of key data.".format(
n,
len(PUBLIC_KEY) + len(PUBLIC_KEY)))
def generate_ssh_key() -> Tuple[str, str]:
"""Generate public and private ssh keys."""
key = rsa.generate_private_key(
backend=crypto_default_backend(), # type: ignore
public_exponent=65537,
key_size=4096,
)
private_key = str(
key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
),
"utf8",
)
public_key = str(
key.public_key().public_bytes(
encoding=serialization.Encoding.OpenSSH,
format=serialization.PublicFormat.OpenSSH,
) + b" {{ cookiecutter.author_email }}",
"utf8",
)
return private_key, public_key
def lambda_handler(event,context):
try:
if event['RequestType'] == 'Create':
# Generate keys
new_key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048)
priv_key = new_key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption()
)
pub_key = new_key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH
)
print(priv_key)
print(pub_key)
# Encrypt private key
kms = boto3.client('kms',region_name=event["ResourceProperties"]["Region"])
enc_key = kms.encrypt(KeyId=event["ResourceProperties"]["KMSKey"],Plaintext=priv_key)['CiphertextBlob']
f = open('/tmp/enc_key','wb')
f.write(enc_key)
f.close()
# Upload priivate key to S3
s3 = boto3.client('s3')
s3.upload_file('/tmp/enc_key',event["ResourceProperties"]["KeyBucket"],'enc_key')
else:
pub_key = event['PhysicalResourceId']
cfnresponse.send(event, context, cfnresponse.SUCCESS, {}, pub_key)
except:
traceback.print_exc()
cfnresponse.send(event, context, cfnresponse.FAILED, {}, '')
def __init__(conf: Configuration, name: str):
from cryptography.hazmat.primitives import serialization as crypto_serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends import default_backend as crypto_default_backend
ostack = OpenStack(conf)
key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048)
private_key = key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.
TraditionalOpenSSL, # PKCS8 is not supported best by paramiko
crypto_serialization.NoEncryption())
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH)
keyBuilder = VMKeyPairItemBuilder() \
.set_name(name) \
.set_private_key(private_key) \
.set_public_key(public_key)
_create_key(conf, ostack, keyBuilder)
def create_ssh_keypair(size=2048):
"""
Make a new ssh keypair of a given size
:param: size (optional, defaults to 2048). How many bits large should the key be?
:return: UTF-8 strings representing the public key and private key in that order
"""
from cryptography.hazmat.primitives import serialization as crypto_serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends import default_backend as crypto_default_backend
key = rsa.generate_private_key(
backend=crypto_default_backend(),
public_exponent=65537,
key_size=size,
)
private_key = key.private_bytes(crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption())
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH)
return public_key.decode('utf-8'), private_key.decode('utf-8')
def GenKeys(Logger: object,
KeyLength: int = 8192
): # Generates A Set Of RSA Keys For SSH Encryption #
'''
Generates a new keypair for encrypting CLI traffic.
This should generate a keypair of kength 8192 bits by default, however the KeyLength argument can be specified to set another length.
*Please don't use this function unless you know what you're doing!*
'''
Logger.Log(
f'Generating New Pub/Private Key Pair Of Length {KeyLength} Characters, Using The RSA Method'
)
KeyPair = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=KeyLength)
PrivateKey = KeyPair.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.TraditionalOpenSSL,
crypto_serialization.NoEncryption())
PublicKey = KeyPair.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH)
Logger.Log('Generated Keypair')
return PublicKey, PrivateKey
def _create_db_ro_nsrs(self, nsr_id, now):
try:
key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048)
private_key = key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption())
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH)
private_key = private_key.decode('utf8')
public_key = public_key.decode('utf8')
except Exception as e:
raise NsException("Cannot create ssh-keys: {}".format(e))
schema_version = "1.1"
private_key_encrypted = self.db.encrypt(private_key,
schema_version=schema_version,
salt=nsr_id)
db_content = {
"_id": nsr_id,
"_admin": {
"created": now,
"modified": now,
"schema_version": schema_version
},
"public_key": public_key,
"private_key": private_key_encrypted,
"actions": [],
}
self.db.create("ro_nsrs", db_content)
return db_content
def generate_sshkey(self, user: User, key_name: str, service_key=False):
"""
Generate an SSH key to save in the database.
The private key is returned and not saved in the database.
"""
key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048)
private_key = key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.TraditionalOpenSSL,
crypto_serialization.NoEncryption()).decode("utf-8")
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH).decode("utf-8")
self.name = key_name
self.public_key = public_key
self.service_key = service_key
try:
key_obj = self.store_key(user, key_name, public_key)
except KeyNameAlreadyExists:
raise
except PublicKeyAlreadyExists:
raise
return key_obj, private_key
def ssh_keygen(type: str = 'rsa', decode2str: bool = True):
# very handy SSH prv/pub keygen
# references:
# - https://stackoverflow.com/a/39126754
# - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ed25519.html
if type == 'rsa':
key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=crypto_default_backend())
_key_private = key.private_bytes(
encoding=crypto_serialization.Encoding.PEM,
format=crypto_serialization.PrivateFormat.PKCS8,
encryption_algorithm=crypto_serialization.NoEncryption())
_key_public = key.public_key().public_bytes(
encoding=crypto_serialization.Encoding.OpenSSH,
format=crypto_serialization.PublicFormat.OpenSSH)
dict_keygen = {
'prv_fname': "id_{:s}".format(type),
'prv_key':
_key_private.decode('UTF-8') if decode2str else _key_private,
'pub_fname': "id_{:s}.pub".format(type),
'pub_key': _key_public.decode('UTF-8') if decode2str else _key_public,
}
return dict_keygen
def __gen_cert(subject_name: str, cert_attributes: CertAttributes, ca_crt: Certificate, ca_pkey):
now = datetime.datetime.utcnow()
crypto_backend = crypto_default_backend()
algorithm = hashes.SHA256()
subject = cert_attributes.create_x509_attributes(subject_name)
user_key = rsa.generate_private_key(public_exponent=65537, key_size=4096, backend=crypto_backend)
csr = x509.CertificateSigningRequestBuilder().subject_name(subject).sign(user_key, algorithm, crypto_backend)
crt = x509.CertificateBuilder() \
.subject_name(csr.subject).issuer_name(ca_crt.subject).public_key(csr.public_key()) \
.serial_number(x509.random_serial_number()) \
.not_valid_before(now).not_valid_after(now + datetime.timedelta(days=cert_attributes.valid_days)) \
.add_extension(extval=x509.KeyUsage(digital_signature=True, key_encipherment=True,
content_commitment=True, data_encipherment=False,
key_agreement=False, encipher_only=False,
decipher_only=False, key_cert_sign=False, crl_sign=False),
critical=True) \
.add_extension(extval=x509.BasicConstraints(ca=False, path_length=None), critical=True) \
.add_extension(extval=x509.AuthorityKeyIdentifier.from_issuer_public_key(ca_pkey.public_key()),
critical=False) \
.sign(private_key=ca_pkey, algorithm=hashes.SHA256(), backend=crypto_backend)
return {
'fqdn': subject_name,
'private_key': __serialize_private_key(user_key),
'cert_key': crt.public_bytes(encoding=crypto_serialization.Encoding.PEM).decode(DEFAULT_ENCODING),
'serial_number': f'{crt.serial_number:0>40X}'
}
async def fetch_cert(url):
try:
# If the URL points to a certificate, then use it as it is.
cert_pem = await fetch_text(url)
parsed = cryptography.x509.load_pem_x509_certificate(
cert_pem.encode("utf8"), backend=crypto_default_backend())
except ValueError:
# Otherwise, fetch the SSL certificate from the (host, port).
parsed_url = urlparse(url)
host, port = (parsed_url.netloc, parsed_url.port or 443)
loop = asyncio.get_event_loop()
cert_pem = await loop.run_in_executor(
None, lambda: ssl.get_server_certificate((host, port)))
parsed = cryptography.x509.load_pem_x509_certificate(
cert_pem.encode("utf8"), backend=crypto_default_backend())
return parsed
def encrypt_file(filepath):
with open("./client_public_key.pem", "rb") as key_file:
attacker_public_key = crypto_serialization.load_pem_public_key(key_file.read(),
backend=crypto_default_backend())
with open(filepath, 'rb') as f:
fileblob = f.read()
enc_blob = encrypt_blob(fileblob, attacker_public_key)
return enc_blob
def newkey(self):
"""Generate a RSA key."""
self.logger.log('Generating new key…', 1)
self.key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048)
self.saveKey(self.configuration['ssh']['default_key'],
self.configuration['ssh']['default_pubkey'])
def create_key_pair(key_cipher='rsa', key_format='openssh'):
if key_cipher == 'rsa' and key_format == 'openssh':
rsa_key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=4096)
private_key = rsa_key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption())
public_key = rsa_key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH)
elif key_cipher == 'rsa' and key_format == 'pem':
rsa_key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=4096)
private_key = rsa_key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption())
public_key = rsa_key.public_key().public_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PublicFormat.SubjectPublicKeyInfo)
elif key_cipher == 'ec' and key_format == 'pem':
# Ciphers: SECP384R1, SECP521R1
ec_key = ec.generate_private_key(ec.SECP521R1(), default_backend())
private_key = ec_key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption())
public_key = ec_key.public_key().public_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PublicFormat.SubjectPublicKeyInfo)
else:
s = f"Unsupported key cipher {key_cipher} and/or format {key_format}."
print(s)
return -1
return {
'private_key': private_key.decode('utf-8'),
'public_key': public_key.decode('utf-8'),
'key_cipher': key_cipher,
'key_format': key_format
}
def rsa_key():
key = rsa.generate_private_key(backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048)
return (key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH,
).decode("utf-8"))
def public_key_to_pem(self, private_key, public_key):
key = crypto_serialization.load_pem_private_key(
private_key, password=None, backend=crypto_default_backend())
return key.public_key().public_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PublicFormat.SubjectPublicKeyInfo
)
def load_privkey(fh):
_passphrase = passphrase
if _passphrase is not None \
and not isinstance(_passphrase, bytes):
_passphrase = _passphrase.encode('utf-8')
return load_pem_private_key(fh.read(),
password=_passphrase,
backend=crypto_default_backend())
def test_create_keypair(self):
resp = self.app.post('/compute/v2.0/os-keypairs',
params=json.dumps(create_keypair_req(keypair1)),
status=200)
jresp = json.loads(resp.body)
fingerprint = jresp['keypair']['fingerprint']
public_key = str(jresp['keypair']['public_key'])
private_key = str(jresp['keypair']['private_key'])
self.assertEqual(jresp, create_keypair_resp(keypair1,
fingerprint=fingerprint,
public_key=public_key,
private_key=private_key))
# Encrypt a test message using the returned public key
message = b'!!! test message'
encrypted = crypto_serialization.load_ssh_public_key(
public_key,
backend=crypto_default_backend()
).encrypt(
message,
crypto_padding.OAEP(
mgf=crypto_padding.MGF1(algorithm=crypto_hashes.SHA1()),
algorithm=crypto_hashes.SHA1(),
label=None
)
)
# Decrypt the (encrypted) test message using the returned private key
decrypted = crypto_serialization.load_pem_private_key(
private_key,
password=None,
backend=crypto_default_backend()
).decrypt(
encrypted,
crypto_padding.OAEP(
mgf=crypto_padding.MGF1(algorithm=crypto_hashes.SHA1()),
algorithm=crypto_hashes.SHA1(),
label=None
)
)
# Verify the decrypted message
self.assertEqual(decrypted, message)
def rsa_key():
key = rsa.generate_private_key(
backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048
)
return key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH
).decode('utf-8')
def get_key(self):
response = self.ssm.get_parameter(Name=self.name_from_physical_resource_id(), WithDecryption=True)
private_key = str(response['Parameter']['Value'])
key = crypto_serialization.load_pem_private_key(
private_key, password=None, backend=crypto_default_backend())
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH
)
return (private_key, public_key)
def create_key(self):
key = rsa.generate_private_key(
backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048
)
private_key = key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption())
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH
)
return (private_key, public_key)
def create(self, keypair):
"""
create (or import) a keypair
"""
LOG.info('create(keypair=%s)', keypair)
if 'public_key' in keypair:
private_key = None
try:
public_key = ' '.join(keypair['public_key'].strip()
.split(' ')[0:2])
except Exception: # pylint: disable=W0703
raise exception.Failure(reason='Invalid public key')
else:
# Generate a new keypair if the request doesn't contain a public
# key
key = crypto_rsa.generate_private_key(
backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048,
)
private_key = key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption(),
)
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH,
)
# Calculate the key fingerprint
fp_plain = md5(b64decode(public_key.split()[1])).hexdigest()
fp = ':'.join(a + b for (a, b) in zip(fp_plain[::2], fp_plain[1::2]))
# Create the new keypair in the database
new_keypair = self.db.keypairs.create(name=keypair['name'],
fingerprint=fp,
public_key=public_key)
# Add the private key to the response
if private_key is not None:
new_keypair['private_key'] = private_key
return new_keypair
def validate_signature(event, context, **kwargs):
"""Validate the signature of each collection.
"""
server_url = event["server"]
bucket = event.get("bucket", "monitor")
collection = event.get("collection", "changes")
client = Client(server_url=server_url, bucket=bucket, collection=collection)
print("Read collection list from {}".format(client.get_endpoint("collection")))
error_messages = []
checked_certificates = {}
collections = client.get_records()
# Grab server data in parallel.
start_time = time.time()
collections_data = []
with concurrent.futures.ThreadPoolExecutor(
max_workers=PARALLEL_REQUESTS
) as executor:
futures = [
executor.submit(download_collection_data, server_url, c)
for c in collections
]
for future in concurrent.futures.as_completed(futures):
collections_data.append(future.result())
elapsed_time = time.time() - start_time
print(f"Downloaded all data in {elapsed_time:.2f}s")
for i, (collection, endpoint, metadata, records, timestamp) in enumerate(
collections_data
):
start_time = time.time()
message = "{:02d}/{:02d} {}: ".format(i + 1, len(collections), endpoint)
# 1. Serialize
serialized = canonical_json(records, timestamp)
data = b"Content-Signature:\x00" + serialized.encode("utf-8")
# 2. Grab the signature
try:
signature = metadata["signature"]
except KeyError:
# Destination has no signature attribute.
# Be smart and check if it was just configured.
# See https://github.com/mozilla-services/remote-settings-lambdas/issues/31
client = Client(
server_url=server_url,
bucket=collection["bucket"],
collection=collection["collection"],
)
with_tombstones = client.get_records(_since=1)
if len(with_tombstones) == 0:
# It never contained records. Let's assume it is newly configured.
message += "SKIP"
print(message)
continue
# Some records and empty signature? It will fail below.
signature = {}
try:
# 3. Verify the signature with the public key
pubkey = signature["public_key"].encode("utf-8")
verifier = ecdsa.VerifyingKey.from_pem(pubkey)
signature_bytes = base64.urlsafe_b64decode(signature["signature"])
verified = verifier.verify(signature_bytes, data, hashfunc=hashlib.sha384)
assert verified, "Signature verification failed"
# 4. Verify that the x5u certificate is valid (ie. that signature was well refreshed)
x5u = signature["x5u"]
if x5u not in checked_certificates:
resp = requests.get(signature["x5u"])
cert_pem = resp.text.encode("utf-8")
cert = cryptography.x509.load_pem_x509_certificate(
cert_pem, crypto_default_backend()
)
assert (
cert.not_valid_before < datetime.now()
), "certificate not yet valid"
assert cert.not_valid_after > datetime.now(), "certificate expired"
subject = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[
0
].value
# eg. ``onecrl.content-signature.mozilla.org``, or
# ``pinning-preload.content-signature.mozilla.org``
assert subject.endswith(
".content-signature.mozilla.org"
), "invalid subject name"
checked_certificates[x5u] = cert
# 5. Check that public key matches the certificate one.
cert = checked_certificates[x5u]
cert_pubkey_pem = cert.public_key().public_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PublicFormat.SubjectPublicKeyInfo,
)
assert (
unpem(cert_pubkey_pem) == pubkey
), "signature public key does not match certificate"
elapsed_time = time.time() - start_time
message += f"OK ({elapsed_time:.2f}s)"
print(message)
except Exception:
message += "⚠ BAD Signature ⚠"
print(message)
# Gather details for the global exception that will be raised.
signed_on = metadata["last_modified"]
signed_on_date = timestamp_to_date(signed_on)
timestamp_date = timestamp_to_date(timestamp)
error_message = (
"Signature verification failed on {endpoint}\n"
" - Signed on: {signed_on} ({signed_on_date})\n"
" - Records timestamp: {timestamp} ({timestamp_date})"
).format(**locals())
error_messages.append(error_message)
# Make the lambda to fail in case an exception occured
if len(error_messages) > 0:
raise ValidationError("\n" + "\n\n".join(error_messages))
import server.createdb
pjoin = os.path.join
data_dir = pjoin(os.getcwd(), 'data')
print ("Creating Data Directories")
mkpath(pjoin(data_dir, 'sketches'))
mkpath(pjoin(data_dir, 'experiments'))
mkpath(pjoin(data_dir, 'ssh-keys'))
server.createdb.createdb(data_dir)
print ("Creating SSH Keys")
key = rsa.generate_private_key(
backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048
)
private_key = key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.TraditionalOpenSSL,
crypto_serialization.NoEncryption())
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH
)
with open(pjoin(data_dir, 'ssh-keys', 'ssh_host_rsa_key.pub'), 'wb') as f:
f.write(public_key)
